Summary: the secure boot ROM is validated by a SHA-256 hash, instead of being authenticated by a crypto signature, so one is free to tamper with the bootloader as long as the hash is recomputed correctly. The strangest thing is that there is support for RSA signatures, but the feature is just unused.
Secure second-stage loader (BL2) loads secure third-stage loader (BL31) from insecure flash storage, then verifies it by calculating SHA-256 hash of it and comparing that to the value stored in the same insecure flash.
How easy is it to change the input of SHA256 without changing the output? That strikes me as still very difficult (MD5 is basically worthless for this reason).
